---
apiVersion: v1
kind: ServiceAccount
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "gatekeeper.sh/system" "yes" "app" "gatekeeper")) | nindent 2 }}
  name: admission-policy-engine
  namespace: d8-{{ .Chart.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "gatekeeper.sh/system" "yes" "app" "gatekeeper")) | nindent 2 }}
  name: gatekeeper-manager
  namespace: d8-{{ .Chart.Name }}
rules:
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
{{/*  For constraint exporter*/}}
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - create
      - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "gatekeeper.sh/system" "yes" "app" "gatekeeper")) | nindent 2 }}
  name: "d8:admission-policy-engine:gatekeeper"
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - admissionregistration.k8s.io
    resourceNames:
      - gatekeeper-mutating-webhook-configuration
    resources:
      - mutatingwebhookconfigurations
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - config.gatekeeper.sh
    resources:
      - configs
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - config.gatekeeper.sh
    resources:
      - configs/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - constraints.gatekeeper.sh
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - externaldata.gatekeeper.sh
    resources:
      - providers
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - mutations.gatekeeper.sh
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - policy
    resourceNames:
      - gatekeeper-admin
    resources:
      - podsecuritypolicies
    verbs:
      - use
  - apiGroups:
      - status.gatekeeper.sh
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - templates.gatekeeper.sh
    resources:
      - constrainttemplates
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - templates.gatekeeper.sh
    resources:
      - constrainttemplates/finalizers
    verbs:
      - delete
      - get
      - patch
      - update
  - apiGroups:
      - templates.gatekeeper.sh
    resources:
      - constrainttemplates/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - admissionregistration.k8s.io
    resourceNames:
      - gatekeeper-validating-webhook-configuration
    resources:
      - validatingwebhookconfigurations
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "gatekeeper.sh/system" "yes" "app" "gatekeeper")) | nindent 2 }}
  name: gatekeeper-manager
  namespace: d8-admission-policy-engine
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gatekeeper-manager
subjects:
  - kind: ServiceAccount
    name: admission-policy-engine
    namespace: d8-{{ .Chart.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  {{- include "helm_lib_module_labels" (list . (dict "gatekeeper.sh/system" "yes" "app" "gatekeeper")) | nindent 2 }}
  name: "d8:admission-policy-engine:gatekeeper"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: "d8:admission-policy-engine:gatekeeper"
subjects:
  - kind: ServiceAccount
    name: admission-policy-engine
    namespace: d8-{{ .Chart.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:admission-policy-engine:gatekeeper:rbac-proxy
  {{- include "helm_lib_module_labels" (list . (dict "app" "gatekeeper")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:rbac-proxy
subjects:
  - kind: ServiceAccount
    name: admission-policy-engine
    namespace: d8-{{ .Chart.Name }}
